My objective is to get error count by corresponding to Id . I have a csv say abc.csv from which I have to look up Id and display result only corresponding to the Id present in csv. moreover for some logs id is logged as field but for some it is not getting logged as field. I used below query:
index=rxc sourcetype="rxcapp" (level=ERROR) earliest=-30m | rex field=_raw "Id:[\S\s]+?(?<Id>.\d+)" | search [| inputlookup abc.csv | rename id as Id | fields Id]| lookup abc.csv id As Id OUTPUT site| stats count by name site level
It is giving me result correctly when I search but when I go and commit it on github it throws error like below :
REX FIELD checks for use of _raw FAILURE: in file local/searches.conf in section [ABC Error alert] -> rex field cannot = _raw
Is there any way I can achieve what I want without using _raw and "context" is also not logged as field in logs(fyi)
_raw is the default field for rex. You can use the rex command without specifying the field if you are targetting your raw data (e.g. like you are doing). If you want to rex from a table (e.g. stats result) you need to specify the field.
You can always set up a field extraction in props.conf for your sourcetype. This way you don't need to use rex on your search.
What I don't understand is what you mean with an error thrown with the commit to Github. Do you run Splunk app inspect as some sort of workflow action on commit and that's throwing the errors? If that's the case can you post your search stanza ("[ABC Error alert]") from searches.conf?
------------ Hope I was able to help you. If so, an upvote would be appreciated.